Privacy Act of 1974; System of Records, 18752-18756 [E7-6982]

Agencies

• DEPARTMENT OF VETERANS AFFAIRS

[Federal Register Volume 72, Number 71 (Friday, April 13, 2007)]
[Notices]
[Pages 18752-18756]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E7-6982]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF VETERANS AFFAIRS


Privacy Act of 1974; System of Records

AGENCY: Department of Veterans Affairs (VA).

ACTION: Notice of publication of new system of records.

-----------------------------------------------------------------------

SUMMARY: The Privacy Act of 1974 (Title 5, United States Code (U.S.C.), 
Section 552 requires that all agencies publish in the Federal Register 
a notice of the existence of and character of their systems of records. 
Notice is hereby given that the Department of Veterans Affairs (VA) is 
adding a new system of

[[Page 18753]]

records entitled ``Non-Health Data Analyses and Projections for VA 
Policy and Planning--VA'' (149VA008A).

DATES: Comments on the amendment of this system of records must be 
received no later than May 14, 2007. If no public comment is received, 
the new system will become effective May 14, 2007.

ADDRESSES: Written comments may be submitted through https://
www.Regulations.gov; by mail or hand-delivery to the Director, 
Regulations Management (00REG), Department of Veterans Affairs, 810 
Vermont Ave., NW., Room 1068, Washington, DC 20420; or by fax to (202) 
273-9026. Copies of comments received will be available for public 
inspection in the Office of Regulation Policy and Management, Room 
1063B, between the hours of 8 a.m. and 4:30 p.m. Monday through Friday 
(except holidays). Please call (202) 273-9515 for an appointment. In 
addition, during the comment period, comments may be viewed online 
through the Federal Docket Management System.

FOR FURTHER INFORMATION CONTACT: Dat Tran, Director, Office of Data 
Development and Analysis, (008A3), U.S. Department of Veterans Affairs, 
810 Vermont Ave., NW., Washington, DC 20420, (202) 273-6482.

SUPPLEMENTARY INFORMATION: 

I. Description of the Proposed System of Records

    The ``Non-Health Data Analyses and Projections for VA Policy and 
Planning'' system of records is a collection of non-health-related 
database extracts utilized by the Department of Veterans Affairs' 
Office of Policy and Planning (OPP) to perform its statutory mission 
under title 38, U.S.C. 527. OPP supports VA's Office of the Secretary, 
Administrations, and staff offices through qualitative, quantitative, 
and actuarial analyses, projections, and evaluations regarding all non-
health-related benefits issues involving service members, veterans, 
survivors, and dependents. A more complete description of the duties 
and activities of Office of Policy and Planning (OPP) is at https://
www1.va.gov/op3/docs/008_org.pdf.
    The extracts are provided from master databases under the 
jurisdiction of the Veterans Benefits Administration, Department of 
Defense (DoD), and other Federal and State agencies. This system of 
records will not contain protected health information covered by the 
HIPAA Privacy and Security Rules.
    These data extracts contain personal identifiers (e.g., social 
security numbers and military service numbers etc.), residential and 
professional contact data (e.g., address and telephone numbers etc.), 
population demographics (e.g., gender and zip codes etc.), military 
service-related data (e.g., branch of service and service dates etc.), 
financial-related data (e.g., amount of historic benefit payments 
etc.), claims processing codes and information (e.g., disability 
compensation and pension award codes etc.), and other VA and non-VA 
Federal information.
    The information is retrievable by social security number, military 
service number, claim or file number, non-VA Federal benefit 
identifiers, and other personal identifiers. Consequently, a Privacy 
Act system of records must be established in order to protect this 
information.

II. Proposed Routine Use of Disclosures of Data in the System

    VA is proposing to establish the following routine use disclosures 
of the information that will be maintained in the system.
    1. Upon suspicion or confirmation of compromised data in this 
system of records, OPP may disclose any system records to law 
enforcement and security entities, as necessary, for the investigations 
of any data security, identity theft, and fraud issues.
    2. Disclosure may be made to a Member of Congress or to a 
Congressional staff member in response to an inquiry of the 
Congressional office made at the written request of the constituent 
about whom the record is maintained.
    3. Any system records disclosure may be made to the National 
Archives and Records Administration in records management inspections 
under title 44, U.S.C.
    4. Any information in this system may be disclosed to the 
Department of Justice (DOJ), including United States (U.S.) Attorneys, 
upon its official request in order for VA to respond to pleadings, 
interrogatories, orders or inquiries from DOJ and to supply DOJ with 
information to enable DOJ to represent the U.S. Government in any phase 
of litigation or in any case or controversy involving VA.
    5. Any system records may be disclosed to a Federal agency for the 
conduct of research and data analysis to perform a statutory purpose of 
that Federal agency upon the prior written request of that agency, 
provided that there is legal authority under all applicable 
confidentiality statutes and regulations to provide the data and OPP 
has determined prior to the disclosure that OPP data handling 
requirements are satisfied. OPP may disclose limited individual 
identification information to another Federal agency for the purpose of 
matching and acquiring information held by that agency for OPP to use 
for the purposes stated for this system of records.
    6. Any system records may be disclosed to individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to perform such 
services as VA may deem practicable for the purposes of laws 
administered by VA, in order for the contractor, subcontractor, public 
or private agency, or other entity or individual with whom VA has an 
agreement or contract to perform the services of the contract or 
agreement. This routine use includes disclosures by the individual or 
entity performing the service for VA to any secondary entity or 
individual to perform an activity that is necessary for individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to provide the 
service to VA.
    7. Any system records disclosure may be made to the Office of 
Management and Budget (OMB) in order for them to perform their 
statutory responsibilities for evaluating federal programs.
    8. Upon receipt of a written request, VA may disclose information 
to any state, tribe, county, or municipal agency for the purposes of 
outreach to a benefit under Title 38 Code of Federal Regulations (CFR).
    9. Any records may be disclosed to appropriate agencies, entities, 
and persons under the following circumstances: When (1) It is suspected 
or confirmed that the security or confidentiality of information in the 
system of records has been compromised; (2) the Department has 
determined that as a result of the suspected or confirmed compromise 
there is a risk of embarrassment or harm to the reputations of the 
record subjects, harm to economic or property interests, identity theft 
or fraud, or harm to the security or integrity of this system or other 
systems or programs (whether maintained by the Department or another 
agency or entity) that rely upon the compromised information; and (3) 
the disclosure is made to such agencies, entities, and persons who are 
reasonably necessary to assist in connection with the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm.
    10. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ

[[Page 18754]]

determines that such information is relevant to DoJ's representation of 
the United States or any of its components in legal proceedings before 
a court or adjudicative body, provided that, in each case, the agency 
also determines prior to disclosure that disclosure of the records to 
the Department of Justice is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records. VA, on its own initiative, may disclose records in this system 
of records in legal proceedings before a court or administrative body 
after determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    In determining whether to disclose records under this routine use, 
VA will comply with the guidance promulgated by the Office of 
Management and Budget in a May 24, 1985, memorandum entitled ``Privacy 
Act Guidance--Update'', currently posted at https://www.whitehouse.gov/
omb/inforeg/guidance1985.pdf.
    11. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature, and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. On its own initiative, VA may 
also disclose the names and addresses of veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto.

III. Compatibility of the Proposed Routine Uses

    The Privacy Act permits VA to disclose information about 
individuals without their consent for a routine use when the 
information will be used for a purpose that is compatible with the 
purpose for which we collected the information. In all of the routine 
use disclosures, either the recipient of the information will use the 
information in connection with a matter relating to one of VA's 
programs, or will use the information to provide a benefit to VA, or 
disclosure is required by law.
    The ``notice of intent to publish'' and an advance copy of the 
system notice have been sent to the appropriate Congressional 
committees and the OMB's Director as required by title 5, U.S.C. a(r) 
(Privacy Act) and guidelines issued by OMB on December 12, 2000 
(65FR77677).

    Approved: March 29, 2007.
Gordon H. Mansfield,
Deputy Secretary of Veterans Affairs.
149VA008A

SYSTEM NAME:
    ``Non-Health Data Analyses and Projections for VA Policy and 
Planning--VA''.

SYSTEM LOCATION:
    One location for electronic and paper records, following VA-
approved procedures, is in the Office of the Director, Office of Data 
Development and Analysis, (008A3), U.S. Department of Veterans Affairs, 
810 Vermont Ave., NW., Washington, DC 20420. Electronic records are 
also placed on a Department of Veterans Affairs' (VA's) secured server 
housed at VA's Austin Automation Center, 1615 Woodward St., Austin, TX 
78772. Records necessary for a contractor to perform a contract with VA 
are located at the respective contractor's facility.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    1. Service members and veterans who have applied for any non-
health-related benefits under title 38, U.S.C.
    2. Veterans' spouse, surviving spouse, previous spouse, children, 
and parents who have applied for any non-health-related benefit under 
title 38, U.S.C.
    3. Beneficiaries of other Federal agencies or other governmental 
entities.
    4. Individuals who have applied for any non-health-related benefits 
under title 38, U.S.C., but who do not meet the requirements under 
Title 38 to receive such benefits.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records may include personal identifiers (e.g., social security 
numbers and military service numbers etc.), residential and 
professional contact data (e.g., address and telephone numbers etc.), 
population demographics (e.g., gender and zip codes etc.), military 
service-related data (e.g., branch of service and service dates etc.), 
financial-related data (e.g., amount of historic benefit payments 
etc.), claims processing codes and information (e.g., disability 
compensation and pension award codes etc.), and other VA and non-VA 
Federal information.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Title 38, U.S.C. 527.

PURPOSE(S):
    Non-health-related qualitative, quantitative, and actuarial 
analyses and projections to support policy analyses and recommendations 
to improve VA services for veterans and their families. Analysis and 
review of policy and long-term planning issues affecting veterans 
programs to support legislative, regulatory and policy recommendations, 
decisions and initiatives. These activities are conducted for the 
Secretary, VA Administrations and Staff Offices, special programs and 
projects within the Department (e.g., special studies, advisory 
committees and task forces etc.), and entities external to VA, such as 
the Office of Management and Budget (OMB), and the United States (U.S.) 
Congress.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:

    Note: To the extent that records contained in the system include 
individually-identifiable information protected by title 38, U.S.C. 
7332, that information cannot be disclosed under any of the 
following routine uses unless there is also specific disclosure 
authority in title 38, U.S.C. 7332.

    1. Upon suspicion or confirmation of compromised data in this 
system of records, Office of Policy and Planning (OPP) may disclose any 
system records to law enforcement and security entities, as necessary, 
for the investigations of any data security, identity theft, and fraud 
issues.
    2. Disclosure may be made to a Member of Congress or to a 
Congressional staff member in response to an inquiry of the 
Congressional office made at the written request of the constituent 
about whom the record is maintained.
    3. Any system records disclosure may be made to the National 
Archives and
    Records Administration in records management inspections under 
title 44, U.S.C.
    4. Any information in this system may be disclosed to the 
Department of Justice (DOJ), including U.S. Attorneys, upon its 
official request in order for VA to respond to pleadings, 
interrogatories, orders or inquiries from DOJ and to supply DOJ with 
information to enable DOJ to represent the U.S. Government in any phase 
of litigation or in any case or controversy involving VA.
    5. Any system records may be disclosed to a Federal agency for the

[[Page 18755]]

conduct of research and data analysis to perform a statutory purpose of 
that Federal agency upon the prior written request of that agency, 
provided that there is legal authority under all applicable 
confidentiality statutes and regulations to provide the data and OPP 
has determined prior to the disclosure that OPP data handling 
requirements are satisfied. OPP may disclose limited individual 
identification information to another Federal agency for the purpose of 
matching and acquiring information held by that agency for OPP to use 
for the purposes stated for this system of records.
    6. Any system records may be disclosed to individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to perform such 
services as VA may deem practicable for the purposes of laws 
administered by VA, in order for the contractor, subcontractor, public 
or private agency, or other entity or individual with whom VA has an 
agreement or contract to perform the services of the contract or 
agreement. This routine use includes disclosures by the individual or 
entity performing the service for VA to any secondary entity or 
individual to perform an activity that is necessary for individuals, 
organizations, private or public agencies, or other entities or 
individuals with whom VA has a contract or agreement to provide the 
service to VA.
    7. Any system records disclosure may be made to the OMB in order 
for them to perform their statutory responsibilities for evaluating 
Federal programs.
    8. Upon receipt of a written request, VA may disclose information 
to any state, tribe, county, or municipal agency for the purposes of 
outreach to a benefit under Title 38 Code of Federal Regulations (CFR).
    9. Any records may be disclosed to appropriate agencies, entities, 
and persons under the following circumstances: When (1) It is suspected 
or confirmed that the security or confidentiality of information in the 
system of records has been compromised; (2) the Department has 
determined that as a result of the suspected or confirmed compromise 
there is a risk of embarrassment or harm to the reputations of the 
record subjects, harm to economic or property interests, identity theft 
or fraud, or harm to the security or integrity of this system or other 
systems or programs (whether maintained by the Department or another 
agency or entity) that rely upon the compromised information; and (3) 
the disclosure is made to such agencies, entities, and persons who are 
reasonably necessary to assist in connection with the Department's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm.
    10. VA may disclose information in this system of records to the 
Department of Justice (DoJ), either on VA's initiative or in response 
to DoJ's request for the information, after either VA or DoJ determines 
that such information is relevant to DoJ's representation of the United 
States or any of its components in legal proceedings before a court or 
adjudicative body, provided that, in each case, the agency also 
determines prior to disclosure that disclosure of the records to the 
Department of Justice is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records. VA, on its own initiative, may disclose records in this system 
of records in legal proceedings before a court or administrative body 
after determining that the disclosure of the records to the court or 
administrative body is a use of the information contained in the 
records that is compatible with the purpose for which VA collected the 
records.
    In determining whether to disclose records under this routine use, 
VA will comply with the guidance promulgated by the Office of 
Management and Budget in a May 24, 1985, memorandum entitled ``Privacy 
Act Guidance--Update'', currently posted at https://www.whitehouse.gov/
omb/inforeg/guidance1985.pdf.
    11. VA may disclose on its own initiative any information in this 
system, except the names and home addresses of veterans and their 
dependents, which is relevant to a suspected or reasonably imminent 
violation of law, whether civil, criminal or regulatory in nature, and 
whether arising by general or program statute or by regulation, rule or 
order issued pursuant thereto, to a Federal, State, local, tribal, or 
foreign agency charged with the responsibility of investigating or 
prosecuting such violation, or charged with enforcing or implementing 
the statute, regulation, rule or order. On its own initiative, VA may 
also disclose the names and addresses of veterans and their dependents 
to a Federal agency charged with the responsibility of investigating or 
prosecuting civil, criminal or regulatory violations of law, or charged 
with enforcing or implementing the statute, regulation, rule or order 
issued pursuant thereto.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:
    The Department will not make disclosures from this system of 
records to consumer reporting agencies.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    OPP's records are maintained electronically or in hard-copy form. 
All portable electronic storage devices and media are stored in a 
combination-locked safe which is secured inside a key-accessed room at 
the U.S. Department of Veterans Affairs, 810 Vermont Ave., NW., 
Washington, DC 20420. Other electronic data is placed on VA's 
segregated server which is housed at VA's Austin Automation Center, 615 
Woodward St., Austin, TX 78772. Information stored on paper is kept 
locked in file cabinets when not in immediate use. All imported and 
exported OPP data is handled and housed via the provisions of signed 
data use agreements and current VA data security policies, procedures, 
and directives. When contractors must have access to data in this 
system of records in order to perform the contract, contractors house 
VA data in their own facilities in accordance with current VA data 
security policies, procedures and directives.

RETRIEVABILITY:
    OPP's records may be retrieved by using an individual's social 
security number, military service number, VA claim or file number, non-
VA Federal benefit identifiers, and other personal identifiers.

SAFEGUARDS:
    All VA offices are protected from outside access by security 
personnel seven days a week. Entrances and exits are monitored by 
security cameras and protected by an alarm system. All VA staff and 
visitors are required to either have a VA-issued employment 
identification card or a temporary visitor identification badge. All 
work stations are secured during daytime and evening hours.
    Electronic data located in Washington, DC is stored in a 
combination-key-locked safe which is secured inside a limited-access 
room. Authorized employee access to the limited-access room and the 
safe is based upon strict business needs as determined by OPP's 
Assistant Secretary. Textual data is stored in key-locked cabinets 
inside secured rooms. Access to the server in the Austin Automation 
Center in Austin, TX is

[[Page 18756]]

generally limited by appropriate locking devices and restricted to 
authorized VA personnel. The Austin Automation Center is a secure 
facility.
    All data requests must be in writing, reviewed by a panel of OPP 
personnel, concurred on by OPP's Assistant Secretary, and released 
under the auspices of a signed data use agreement. File extracts 
provided for specific official uses will be limited to contain only the 
information fields needed for the analysis. Data used for analyses will 
have individual identifying characteristics removed or encrypted 
whenever possible. Unencrypted sensitive variables will only be used 
for analysis as a last resort.
    Security complies with applicable Federal Information Processing 
Standards (FIPS) issued by the National Institute of Standards and 
Technology (NIST). Health information files containing unique 
identifiers such as social security numbers are encrypted to NIST-
verified FIPS 140-2 standard or higher for storage, transport, or 
transmission. All files stored or transmitted on laptops, workstations, 
data storage devices and media are encrypted. Files are kept encrypted 
at all times except when data is in immediate use, per specifications 
by VA Office of Information Technology. NIST publications were 
consulted in development of security for this system of records.
    In the event of a contract or special project, VA may secure the 
services of contractors and/or subcontractors. In such cases, VA will 
maximize the utilization of encrypted data, when possible. Contractors 
and their subcontractors are required to maintain the same level of 
security as VA staff for non-health care information that has been 
disclosed to them. Unless explicitly authorized in writing by the VA, 
sensitive or protected data made available to the contractor and 
subcontractors shall not be divulged or made known in any manner to any 
person.
    All VA employees and contractors are mandated to complete annual 
cyber security and privacy training.

RETENTION AND DISPOSAL:
    In accordance with Title 36, CFR, Section 1234.34, Destruction of 
Electronic Records, ``electronic records may be destroyed only in 
accordance with a records disposition schedule approved by the 
Archivist of the United States, including General Records Schedules.'' 
This Office's electronic files are destroyed or deleted when no longer 
needed for administrative, legal, audit, or other operational purposes 
in accordance with records disposition authority approved by the 
Archivist.
    If the Archivist has not approved disposition authority for any 
records covered by the system notice, the System Manager will take 
immediate action to have the disposition of records in the system 
reviewed and paperwork initiated to obtain an approved records 
disposition authority in accordance with VA Handbook 6300.1, Records 
Management Procedures. The records may not be destroyed until VA 
obtains an approved records disposition authority. OPP will publish an 
amendment to this notice upon issuance of a NARA-approved disposition 
authority.

SYSTEM MANAGER(S) AND ADDRESS(ES):
    OPP's system manager is the Director, Office of Data Development 
and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont 
Ave., NW., Washington, DC 20420.

NOTIFICATION PROCEDURE:
    An individual who wishes to determine whether a record is being 
maintained in this system under his or her name or other personal 
identifier, or wants to determine the contents of such record, should 
submit a written request to the Director, Office of Data Development 
and Analysis, (008A3), U.S. Department of Veterans Affairs, 810 Vermont 
Ave., NW., Washington, DC 20420. Such requests must contain a 
reasonable description of the records requested. In addition, 
identification of the individual requesting the information will be 
required in the written request and will minimally consist of the 
requester's name, signature, social security number, address, telephone 
number, and return address.

RECORD ACCESS PROCEDURES:
    (See Notification procedure above.)

CONTESTING RECORDS PROCEDURES:
    (See Notification procedure above.)

RECORD SOURCE CATEGORIES:
    This Office's information is obtained from VA's benefits-related 
databases, the DoD, Federal and State agencies, and other organizations 
whose data is necessary to accomplish the purpose for this system of 
records.

 [FR Doc. E7-6982 Filed 4-12-07; 8:45 am]
BILLING CODE 8320-01-P